Kerberos error - KDC reply did not match expectations
Lamping, Paul A
plamping at lake.ollusa.edu
Fri Oct 30 17:08:02 EDT 2009
Problem solved!
The trouble was the 'realm' parameter should have been named
"OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in
the Active Directory tools area, but I learned that the Kerberos domain
name is always the domain name (ollusa.edu) in upper case. By viewing
the event logs on the AD server, I found a successful login that had
used the OLLUSA.EDU realm, so that provided the necessary clue.
Paul
From: Lamping, Paul A
Sent: Thursday, October 29, 2009 5:46 PM
To: 'kerberos at mit.edu'
Subject: Kerberos error - KDC reply did not match expectations
I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to
authenticate against a Windows 2003 Active Directory server via
Kerberos. I followed the instructions from the IBM website on Kerberos
integration
(http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i
bm.aix.security/doc/security/kerberos_auth_only_load_module.htm).
Whatever I do, I can't get my Kerberos user to authenticate when I login
or su to that user. I get an "unable to authenticate" message and the
"KDC reply did not match expectations" in the syslog file.
Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate]
Error in getting TGT ...
Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not
match expectations
Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping
to krbtest at /dev/pts/60
Here's my config.krb5 command, run from our AIX server
olladmin_1.ollusa.edu:
config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s
ollusa4.ollusa.edu
I think that my REALM (the -r parameter) is OLLUSA because when I open
up "Active Directory Users and Computers" tool, the properties of the
main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure
that it is capitalized in the krb5.conf file.
Our Active Directory admins ran the Ktpass command this way:
Ktpass -princ host/olladmin_1.ollusa.edu at OLLUSA -mapuser olladmin_1
-pass ******** -out olladmin_1.keytab
I transferred the keytab file and imported it using ktutil, creating
krb5.keytab. I made sure that KVNO as listed in ktutil is the same as
the output of the Ktpass command.
I added these lines to my /usr/lib/security/methods.cfg
KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and
default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added
line "dns_lookup_kdc = true"
Then I created users in both AD and AIX, making sure that the AIX user
was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles"
I checked the clocks. My AD server and my AIX server are 4 minutes
apart. I think the Kerberos limit is 5 minutes.
So I've exhausted all the hints and advice that I've seen on all the
mailing lists and forums. Does anyone have any more ideas?
Paul
More information about the Kerberos
mailing list